Reputation: 1323
Offer some REST API resources for specified clients
I think there is no solution for problem we're facing, but for confirmation I would like to you ask here.
We have REST API that is consumed from:
- administration website (AngularJS)
- customer website (AngularJS)
- other REST API clients (own API applications)
Because requests from administration/customer website are made by AngularJS at a client side, users are able to determine (e.g. via FireBug) resources URLs and are able to consume all these resources from their own applications - what we don't want to and we cannot to restrict it e.g. with IP address because requests go from client. We would like to offer some group of resources only for customer / administration website and some resources for own REST API clients and some resources for both, but from the principle of JS requests made from AngularJS (and resource URL visibility) it cannot be done(?).
What could be the best practice for this issue?
Upvotes: 1
Views: 107
Answers (1)
Reputation: 7926
Note: Your REST resources should always be secure. You should never depend on any client side javascript code. If your security is breached because someone knows the URI of an REST api; something is very wrong.
Angular can be made modular is such a way that the customers only see the customer modules and the administrators see the customer and administrator modules. This way you can let the administrators play in a WYSIWYG environment without having them to switch back and forth between the websites.
// Customers.js
// Module only containing customer code
angular.module('myCustomerProducts', ['myMainApp']);
// Administrators.js
// Module only containing administrator code
angular.module('myEditCustomerProducts', ['myCustomerProducts', 'myMainApp']);
Since your website is already separated for administrators and customers you can simply only include and deploy the javascript code for the specified target site. If this is not the case you'll need some server side transformation (eg. ASP.NET, PHP, Jade, ...) to build the index.html dynamically based on the credentials of the user. Depending on the hosting platform, you can also deny access to everyone not in the administrator group when requesting anything from the administrator website (area).
But again; the server side security is way more of value. You can't secure an insecure server with javascript (on the client side).
Upvotes: 1
Related Questions
- Build REST API Endpoint with Angular
- How to make a different ressource for each user using REST API
- Angular service for getting Data in API rest
- AngularJs with REST Api
- Organize API service for AngularJS project
- Managing REST endpoints in Angular JS?
- AngularJS and Rest Service
- Desiging restful API for user resource
- Custom Api Providers
- Angularjs RESTul Resource Request